Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable ptrace protection for browser sandbox #984

Merged
merged 1 commit into from
Jul 14, 2020
Merged

Enable ptrace protection for browser sandbox #984

merged 1 commit into from
Jul 14, 2020

Conversation

daradib
Copy link
Member

@daradib daradib commented Jul 14, 2020

Only allow ptrace from a parent process to its children or via
CAP_SYS_PTRACE.

To verify sandbox status for Brave, Chrome, Firefox see
brave://sandbox, chrome://sandbox, about:support, respectively.

Also describe disadvantages of enabling unprivileged user namespaces.
Distributions like Debian currently disable unprivileged user namespaces
by default to decrease the kernel attack surface for local privilege
escalation. See Debian bug #898446. If kept disabled, Brave 1.2+ and
Chrome will still enforce namespace sandboxing via their setuid-root
helper executable. See brave/brave-browser#3420 and
brave/brave-browser#6247. Firefox does not include a setuid-root binary,
however, so unprivileged user namespaces are useful to have for
defence-in-depth, but not critical. See
https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html.

@ocfbot
Copy link
Contributor

ocfbot commented Jul 14, 2020

Errored hosts (0)

Changed hosts (28)

Unaffected hosts (71)

Changed hosts
diff for acid.ocf.berkeley.edu, arsenic.ocf.berkeley.edu, asteroid.ocf.berkeley.edu, avalanche.ocf.berkeley.edu, bigbang.ocf.berkeley.edu, blackout.ocf.berkeley.edu, blight.ocf.berkeley.edu, blizzard.ocf.berkeley.edu, cyanide.ocf.berkeley.edu, destruction.ocf.berkeley.edu, drought.ocf.berkeley.edu, eruption.ocf.berkeley.edu, famine.ocf.berkeley.edu, firewhirl.ocf.berkeley.edu, hailstorm.ocf.berkeley.edu, headcrash.ocf.berkeley.edu, heatwave.ocf.berkeley.edu, invasion.ocf.berkeley.edu, madcow.ocf.berkeley.edu, meteorstorm.ocf.berkeley.edu, plague.ocf.berkeley.edu, sinkhole.ocf.berkeley.edu, surge.ocf.berkeley.edu, tornado.ocf.berkeley.edu, typhoon.ocf.berkeley.edu, venom.ocf.berkeley.edu, volcano.ocf.berkeley.edu, wildfire.ocf.berkeley.edu 
*******************************************
  Sysctl[kernel.unprivileged_userns_clone] =>
   parameters =>
     ensure =>
      + 1
     value =>
      - 1
*******************************************
+ Sysctl[kernel.yama.ptrace_scope] =>
   parameters =>
     "value": "1"
*******************************************
Unaffected hosts 
anthrax.ocf.berkeley.edu
autocrat.ocf.berkeley.edu
bedbugs.ocf.berkeley.edu
bigrip.ocf.berkeley.edu
biohazard.ocf.berkeley.edu
bolide.ocf.berkeley.edu
calamity.ocf.berkeley.edu
corruption.ocf.berkeley.edu
coup.ocf.berkeley.edu
dataloss.ocf.berkeley.edu
deadlock.ocf.berkeley.edu
death.ocf.berkeley.edu
dementors.ocf.berkeley.edu
democracy.ocf.berkeley.edu
dev-fallingrocks.ocf.berkeley.edu
failure.ocf.berkeley.edu
fallingrocks.ocf.berkeley.edu
falsevacuum.ocf.berkeley.edu
fire.ocf.berkeley.edu
firestorm.ocf.berkeley.edu
flood.ocf.berkeley.edu
fraud.ocf.berkeley.edu
fukushima.ocf.berkeley.edu
gridlock.ocf.berkeley.edu
hal.ocf.berkeley.edu
hellfire.ocf.berkeley.edu
jaws.ocf.berkeley.edu
leprosy.ocf.berkeley.edu
lethe.ocf.berkeley.edu
lightning.ocf.berkeley.edu
maelstrom.ocf.berkeley.edu
monsoon.ocf.berkeley.edu
nuke.ocf.berkeley.edu
oilspill.ocf.berkeley.edu
pandemic.ocf.berkeley.edu
panic.ocf.berkeley.edu
pestilence.ocf.berkeley.edu
pgp.ocf.berkeley.edu
pileup.ocf.berkeley.edu
pox.ocf.berkeley.edu
quarantine.ocf.berkeley.edu
quicksand.ocf.berkeley.edu
ragnarok.ocf.berkeley.edu
rapture.ocf.berkeley.edu
reaper.ocf.berkeley.edu
rejection.ocf.berkeley.edu
riot.ocf.berkeley.edu
riptide.ocf.berkeley.edu
sarin.ocf.berkeley.edu
scurvy.ocf.berkeley.edu
segfault.ocf.berkeley.edu
shipwreck.ocf.berkeley.edu
singularity.ocf.berkeley.edu
solarflare.ocf.berkeley.edu
spectre.ocf.berkeley.edu
stackclash.ocf.berkeley.edu
supernova.ocf.berkeley.edu
tempest.ocf.berkeley.edu
thunder.ocf.berkeley.edu
trojan.ocf.berkeley.edu
tsunami.ocf.berkeley.edu
vampires.ocf.berkeley.edu
virus.ocf.berkeley.edu
vortex.ocf.berkeley.edu
walpurgisnacht.ocf.berkeley.edu
war.ocf.berkeley.edu
whirlwind.ocf.berkeley.edu
whiteout.ocf.berkeley.edu
worm.ocf.berkeley.edu
zerg.ocf.berkeley.edu
zombies.ocf.berkeley.edu

Jenkins

@daradib
Enable ptrace protection for browser sandbox
a53c04b 
Only allow ptrace from a parent process to its children or via
CAP_SYS_PTRACE.

To verify sandbox status for Brave, Chrome, Firefox see
brave://sandbox, chrome://sandbox, about:support, respectively.

Also describe disadvantages of enabling unprivileged user namespaces.
Distributions like Debian currently disable unprivileged user namespaces
by default to decrease the kernel attack surface for local privilege
escalation. See Debian bug #898446. If kept disabled, Brave 1.2+ and
Chrome will still enforce namespace sandboxing via their setuid-root
helper executable. See brave/brave-browser#3420 and
brave/brave-browser#6247. Firefox does not include a setuid-root binary,
however, so unprivileged user namespaces are useful to have for
defence-in-depth, but not critical. See
<https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html>.
@ocfbot
Copy link
Contributor

ocfbot commented Jul 14, 2020

Errored hosts (0)

Changed hosts (28)

Unaffected hosts (71)

Changed hosts
diff for acid.ocf.berkeley.edu, arsenic.ocf.berkeley.edu, asteroid.ocf.berkeley.edu, avalanche.ocf.berkeley.edu, bigbang.ocf.berkeley.edu, blackout.ocf.berkeley.edu, blight.ocf.berkeley.edu, blizzard.ocf.berkeley.edu, cyanide.ocf.berkeley.edu, destruction.ocf.berkeley.edu, drought.ocf.berkeley.edu, eruption.ocf.berkeley.edu, famine.ocf.berkeley.edu, firewhirl.ocf.berkeley.edu, hailstorm.ocf.berkeley.edu, headcrash.ocf.berkeley.edu, heatwave.ocf.berkeley.edu, invasion.ocf.berkeley.edu, madcow.ocf.berkeley.edu, meteorstorm.ocf.berkeley.edu, plague.ocf.berkeley.edu, sinkhole.ocf.berkeley.edu, surge.ocf.berkeley.edu, tornado.ocf.berkeley.edu, typhoon.ocf.berkeley.edu, venom.ocf.berkeley.edu, volcano.ocf.berkeley.edu, wildfire.ocf.berkeley.edu 
*******************************************
+ Sysctl[kernel.yama.ptrace_scope] =>
   parameters =>
     "value": "1"
*******************************************
Unaffected hosts 
anthrax.ocf.berkeley.edu
autocrat.ocf.berkeley.edu
bedbugs.ocf.berkeley.edu
bigrip.ocf.berkeley.edu
biohazard.ocf.berkeley.edu
bolide.ocf.berkeley.edu
calamity.ocf.berkeley.edu
corruption.ocf.berkeley.edu
coup.ocf.berkeley.edu
dataloss.ocf.berkeley.edu
deadlock.ocf.berkeley.edu
death.ocf.berkeley.edu
dementors.ocf.berkeley.edu
democracy.ocf.berkeley.edu
dev-fallingrocks.ocf.berkeley.edu
failure.ocf.berkeley.edu
fallingrocks.ocf.berkeley.edu
falsevacuum.ocf.berkeley.edu
fire.ocf.berkeley.edu
firestorm.ocf.berkeley.edu
flood.ocf.berkeley.edu
fraud.ocf.berkeley.edu
fukushima.ocf.berkeley.edu
gridlock.ocf.berkeley.edu
hal.ocf.berkeley.edu
hellfire.ocf.berkeley.edu
jaws.ocf.berkeley.edu
leprosy.ocf.berkeley.edu
lethe.ocf.berkeley.edu
lightning.ocf.berkeley.edu
maelstrom.ocf.berkeley.edu
monsoon.ocf.berkeley.edu
nuke.ocf.berkeley.edu
oilspill.ocf.berkeley.edu
pandemic.ocf.berkeley.edu
panic.ocf.berkeley.edu
pestilence.ocf.berkeley.edu
pgp.ocf.berkeley.edu
pileup.ocf.berkeley.edu
pox.ocf.berkeley.edu
quarantine.ocf.berkeley.edu
quicksand.ocf.berkeley.edu
ragnarok.ocf.berkeley.edu
rapture.ocf.berkeley.edu
reaper.ocf.berkeley.edu
rejection.ocf.berkeley.edu
riot.ocf.berkeley.edu
riptide.ocf.berkeley.edu
sarin.ocf.berkeley.edu
scurvy.ocf.berkeley.edu
segfault.ocf.berkeley.edu
shipwreck.ocf.berkeley.edu
singularity.ocf.berkeley.edu
solarflare.ocf.berkeley.edu
spectre.ocf.berkeley.edu
stackclash.ocf.berkeley.edu
supernova.ocf.berkeley.edu
tempest.ocf.berkeley.edu
thunder.ocf.berkeley.edu
trojan.ocf.berkeley.edu
tsunami.ocf.berkeley.edu
vampires.ocf.berkeley.edu
virus.ocf.berkeley.edu
vortex.ocf.berkeley.edu
walpurgisnacht.ocf.berkeley.edu
war.ocf.berkeley.edu
whirlwind.ocf.berkeley.edu
whiteout.ocf.berkeley.edu
worm.ocf.berkeley.edu
zerg.ocf.berkeley.edu
zombies.ocf.berkeley.edu

Jenkins

@daradib
Copy link
Member Author

daradib commented Jul 14, 2020

With sysctl kernel.unprivileged_userns_clone=0:
Layer 1 Sandbox SUID
PID namespaces Yes
Network namespaces Yes
Seccomp-BPF sandbox Yes
Seccomp-BPF sandbox supports TSYNC Yes
Ptrace Protection with Yama LSM (Broker) Yes
Ptrace Protection with Yama LSM (Non-broker) Yes

With sysctl kernel.unprivileged_userns_clone=1:
Layer 1 Sandbox Namespace
PID namespaces Yes
Network namespaces Yes
Seccomp-BPF sandbox Yes
Seccomp-BPF sandbox supports TSYNC Yes
Ptrace Protection with Yama LSM (Broker) Yes
Ptrace Protection with Yama LSM (Non-broker) No

Ptrace Protection with Yama LSM (Non-broker) is expected to be no when using unprivileged user namespaces. See https://chromium.googlesource.com/chromium/src/+/d267fd9917cb1c7494a8067ea3c6f1831bb37e78%5E%21/

Also, when the Chrome renderers are sandboxed with user namespaces,
any process in the parent namespace with the same UID is able to
ptrace the renderer. However, the chrome://sandbox page displays Yama
LSM as enforcing. This makes it clear that Yama LSM is not protecting
the renderer processes from ptrace by adding "Ptrace Protection with
Yama LSM (Non-broker)" to the webpage.
[...]
// If there is no ptrace protection anywhere, that is bad.
// If there is no ptrace protection for nonbroker processes because of the
// user namespace sandbox, that is fine and we display as medium.

kpengboy
kpengboy approved these changes Jul 14, 2020
View reviewed changes
modules/ocf/manifests/browser_sandbox.pp
value => '1';
# Enable ptrace protection. Only allow ptrace from a parent process to its
# children or via CAP_SYS_PTRACE.
'kernel.yama.ptrace_scope':
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I had thought this was already set.

Wonder if we should enable this for all machines?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like Debian disabled it in bug #712740. Yeah, we could enable it for all machines as Ubuntu does. It obviously won't prevent rogue processes from messing with user files including Kerberos tickets, but the only downside is losing the ability to gdb/strace processes running in the background without root (breaks gdb --attach and strace -p) and possibly some edge cases like wine. I'll merge this for now and in the meantime maybe one of you root folks can test sysctl kernel.yama.ptrace_scope=1 on the login server, app host, etc.

@daradib daradib merged commit a53c04b into master Jul 14, 2020
@daradib daradib deleted the userns branch July 14, 2020 22:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kpengboy kpengboy kpengboy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@daradib @ocfbot @kpengboy